Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9d889525c617e307…

MALICIOUS

Office (OLE) / .XLS

2.34 MB Created: 2003-12-15 13:23:04
MD5: cd2d240e93cc9722c14a43a4e4624bd0 SHA-1: 542f054b5cddd0481de06937db8973481678ff25 SHA-256: 9d889525c617e30774cdee256839bba785680c8a2650ca948daa8a914e6e72cf
482 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is an XLS document that contains an embedded PE executable, identified by ClamAV as Win.Trojan.Agent-575075. Heuristics indicate the use of APIs such as CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, LoadLibrary, and GetProcAddress, suggesting the malicious executable is loaded and executed. The embedded URL is likely used for command and control or to download additional payloads.

Heuristics 13

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-575075 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-575075
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webs.uolsinectis.com.ar/suoem_sanfco

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000020a1.exe
9bdacde16ead15ac68d2d1dfdf69da1d9d87191e3b564e808c594a8543fbf10b		 embedded-pe Office MZ+PE at offset 0x20A1 2445663 bytes
Detection
ClamAV: Win.Trojan.Agent-575075
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.
ole10native_00.bin
cb93e0358e75adcf8262a5110068ec039a553556f439fd692fecbab3d70d85ea		 ole-package OLE Ole10Native stream: MBD00BC19A0/Ole10Native 704674 bytes
Detection
ClamAV: Win.Trojan.Agent-575075
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.
ole10native_02.bin
f10cc1cabbc55e0eb198c2a85df32849d0b3c52116e78e2d0129d09ace26797a		 ole-package OLE Ole10Native stream: MBD01A43729/Ole10Native 704675 bytes
Detection
ClamAV: Win.Trojan.Agent-575075
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.